PT1794973E - Method and system for controlling mobility in a communication network, related network and computer program product therefor - Google Patents

Abstract

A communication network, such as a Mobile IP network (30), comprises at least one mobile terminal (10) and a plurality of Home Agents (70) adapted to provide, within working sessions, communication services to the above mobile terminal (10). In the network (30) there is an Authentication, Authorisation and Accounting (AAA) platform (90), configured for identifying, within the above plurality, the Home Agent (70) that serves the at least one mobile terminal (10) in a selective and varying way within a single working session.

Description

DESCRIPTION

METHOD AND SYSTEM FOR THE CONTROL OF MOBILITY IN A COMMUNICATIONS NETWORK, RELATED NETWORK AND CORRESPONDING COMPUTER PROGRAM

Field of the Invention The present invention relates to techniques for managing traffic in telecommunications networks. The invention has been developed with particular care with the possible application in mobile networks based on the internet protocol (IP), namely, more precisely, in networks in which terminal mobility is managed with a mobile IP protocol.

In any case, reference to this particular field of application should not be taken in a limiting sense of the scope of the invention.

Description of the prior art

IP mobile networks identify a scenario in which a mobile user moves within the network and generates the traffic that is routed within the network to the nodes (corresponding nodes) with which the user is communicating.

During your movements, you may have to change the access network (subnet) that allows you to use IP services. This operation must be transparent to the 1 user, so that he can continue to communicate with the corresponding nodes without interruptions.

Traditional protocols on which IP networks are based, because of their nature, are not capable of managing the IP terminals that move within the network. In order to fill this space, the IETF (Internet Engineering Task Force) standardization entity has defined the mobile IPv6 protocol, which allows IPv6 mobile terminals to change their point of connection to the network in a transparent way with respect to applications . The mobile IPv6 protocol is specified in the rfc3775 document. This is the first of several references made in the present description to drawing standards or standards ... or of RTC types ... types: the information relating thereto are publicly available on the filing date of the present application in IEFT website at http://www.ietf.org or, alternatively, on the online database http://www.watersprings.org.

In case the IPv6 mobile protocol is adopted, two IP addresses are assigned to the mobile node. The first address is your local address (HoA): this address never changes and is used to uniquely identify the identity of the node (hereinafter also called the mobile node or terminal). The second address is the so-called care address (CoA): this address effectively identifies the mobile terminal position within the visited subnet and then changes with each movement from one subnet to another.

Each movement involving a visited IP subnet change forces the handset to register its own care address by a server, called the Home Agent 2 (HA), which can be found on its provider network (also called " home network "). Any other IP terminal that attempts to communicate with the mobile node contacts the mobile node itself using the local address. Through normal IP forwarding, the traffic sent reaches the HA, which is addressed back to the current position of the mobile node, identified by the care address. Then, the mobile node can be constantly capable of being reached whatever its point of attachment to the network. Figure 1 shows a generic scenario of using the mobile IPv6 protocol within the IP network hosting a mobile node.

In particular, in Figure 1 a mobile node 10 has available a series of access points (20), which allow it, to establish a connection with the network of its provider and, in more detail, allows the opening of a communication session, designated at 40, through a private server 50 called home agent. The communication session 40 involves, in the example shown, the traffic data reception of a corresponding node, indicated by 15. The mobile node 10 within the IP movement network is pointed by the arrow 60. The home agent 50 ensures that the traffic generated by the corresponding node 15 reaches the mobile node 10 whatever the current node of the mobile node. The placement and charge level of home agent 50 greatly affect the performance experienced by the handset since they affect both the delay with which the mobile node receives the traffic data and the length of the temporary loss of connectivity (pass-through latency) which occurs 3 after each move from one access point to another. It is known [ref. It is possible to dynamically assign to the mobile terminal, for example when it is connected, a home agent that is capable of delivering optimal performance, namely a home agent that has the resources available of sufficient processing and that can be found as close as possible, in terms of the number of IP jumps, to the mobile terminal of the connection point.

However, in due time, the domestic agent, initially assigned according to these criteria, may no longer be able to provide a service with the appropriate quality. For example, this can occur in the following situations: - following continuous movements of the mobile terminal, it is possible that the local agent ends up being quite far from the current point of attachment of the mobile terminal itself; this causes a large increase in the latency of the transfer and the transfer of waiting traffic to its destination; - when the amount of traffic generated by the mobile terminals that can be found in the network changes, it is possible that the local agent is subject to a congestion state, with the consequent inability to manage all mobile terminals connected to it.

In order to solve this problem, an arrangement is known which is designated as agent-to-house protocol (HAHA) [ref. draft-wakikawa-mip6-nemo-haha-01], which allows the mobile node to change the home agent that is being used moment to moment, leaning at all times on the device that is able to guarantee the best performance . The architecture in which the inter-agent protocol is based, shown in Figure 2, provides that the mobile node 10 is served, rather than by a single home agent 50 (as in the case shown in Figure 1), by a group of home appliances 70 arranged within the operator network 30. All the home agents 70 belonging to the same group periodically exchange signaling messages to synchronize information about the position (namely local address and care address) of the mobile nodes that may be found inside the network.

Because of this synchronization process, home agents belonging to the same group are viewed through the mobile node 10 in the form of a single " virtual home agent " 80, which means that the mobile node 10 may be moved from one home agent to the other without modifying its own local address, in particular with minimal impact on ongoing communications.

This approach has, however, limitations that can make its application difficult, especially in the case of large networks (eg suppliers / operators with a significant number of home agents): each home agent must be manually configured [ref . draft-wakikawa-mip6-nemo-haha-01, page 17] with the addresses of all other home agents belonging to the same group. This complicates the management of the service and its delivery, especially when the number of home agents that can be found in the network is large; In order to allow the mobile node to maintain the same local address regardless of the home agent being used at any given time, home agents belonging to the same group have to switch from one user mode to the user a large number of signaling messages, which are required to synchronize the connection of tables between the local address and the address of care. This limits the ability to escalate the array, increasing the waste of resources, such as bandwidth resources, network connections, and load calculations for home agents.

The basic documentation cited below is included below. Most are IEFT standards and / or working papers. - mobility support for IPv6 (rfc3775); - IP mobility support for IPv4 (rfc3344); IPv6 auto-configuration without address state (rfc2462); - base protocol diameter (rfc3588); - the exchange of internet keys (rfc2409); - the internet key exchange protocol (IKEv2) (draft-ietf-ipsec-ikev2-15) - extensible authentication protocol (rfc3748); - EAP key management structure (draft-ietf-eap-keying-03); MIPv EAP-based authorization and configuration (draft-giaretta-mip6-authorization-eap-00); - authentication protocol for mobile IPv6 (draft-ietf-mip6-auth-protocol-00) 6

Object and Summary of the Invention From the above description and the current situation, it appears that there is a need to define a technique that allows real-time modification and with minimal impact on current communications, the local agent to be used by a mobile terminal . The object of the present invention is to satisfy the above stated need and in particular the present invention addresses the problem of providing a solution which does not have the critical points of the inter house protocol, and which can be used to enable the mobile terminal is always served by a home agent that is capable of delivering optimal performance without causing any disruption of user services.

According to the present invention, this object is obtained by means of a method having the features included in the following claims. The present invention also relates to a corresponding system, a network comprising such a system, in addition to a computer program product which may be loaded into the memory of the at least one computer and comprising software code portions for actuating with the above method. As used herein, reference to such a computer program product is understood to be equivalent to the reference to the readable media by a processor containing instructions for controlling a computer system in order to coordinate the performance of the method according to the invention. The reference to " at least one computer " is intended to emphasize the possibility that the present invention is implemented in a distributed and / or modular manner. 7

One presently preferred embodiment of the invention is applied to the provision of communications services to at least one mobile terminal in a communications network comprising a plurality of home agents, wherein the at least one mobile terminal is served by a home agent identified above within of the plurality. Services are provided to the mobile terminal within work sessions in a situation where: - an authentication, authorization and accounting (AAA) platform is provided in the communications network. And, the home agent serving the mobile terminal is identified within the above plurality through the AAA platform in a selective manner and changing within a single working session. The above preferred embodiment implies, inter alia, the following advantages: performance optimization: assigning a home agent closer to the mobile node allows optimizing the performance experienced by the user by reducing the transfer latency and the delay of transfer of traffic routed through the home agent; - load balancing: the possibility of modifying the home agent, being used by a certain user allows real-time intervention on the load between the household agents that are present in the network, in order to adapt to the type and amount of traffic generated by users. For example, in order to avoid the occurrence of a congestion state, it is possible in a dynamic way to decrease the charge level of a particular home agent to make one or more mobile nodes served by another home agent; - optimal use of operator network resources: assigning a home agent closer to the mobile node can reduce the amount of traffic passing through the network operator (for example, the backbone). In particular, this ensures optimum exploitation of the network resources, preventing traffic related to mobile nodes from passing uselessly through the geographic connections that constitute the backbone of the operator.

BRIEF DESCRIPTION OF THE DRAWINGS The invention will now be described, as a non-limiting example, with reference to the accompanying Figures of the drawings, in which: Figures 1 and 2 have already been previously described; Figure 3 shows a possible network architecture of the arrangement described herein; Figure 4 shows in more detail the network architecture of the arrangement described herein; Figure 5 shows a flow functional diagram representing a procedure for re-locating the home agent initiated by the mobile node and successfully completed; Figure 6 shows a functional flow diagram representing a procedure for re-locating the home agent requested by the mobile node but refused since it was not authorized; Figure 7 shows a functional flow diagram depicting a procedure for re-locating the home agent initiated by the home agent currently used through the mobile node and successfully completed; Figure 8 shows a flow functional diagram representing a procedure for re-locating the home agent initiated by the AAA server and successfully completed; Figure 9 shows a functional flow diagram representing a procedure for re-locating the home agent initiated by the AAA server but failed since it was related to a mobile node, which does not support the procedure; Figure 10 shows the closing procedure through the message count; Figure 11 shows a possible zoning of an operator network; Figure 12 shows a metric example between the zones in which an operator network can be divided; Figure 13 shows a possible new format of the link update message that may be used in the context of the arrangement described herein; Figure 14 shows the generic format of a mobility option that may be used in the context of the arrangement described herein; Figure 15 shows a possible format of a home-agent-of-re-location-of-data-mobility-option that can be used in the context of the arrangement described herein; and Figure 16 shows a possible format of a home-mover-of-re-location-of-lanes option that can be used in the context of the arrangement described herein. 10

Figure 3 shows with direct reference to the diagrams already shown in Figures 1 and 2 an example of network architecture in which the arrangement described herein is based. The architecture in Figure 3 provides the use of the authentication, authorization, and accounting platform (AAA) 90 of the vendor with which the user subscribed the service. In order to make such a platform, already normally present in the supplier's network 30, it authorizes, activates and monitors the entire process of migration to a new home agent (called a home agent) by sending configuration and information commands to the agents (AAA), authentication and accounting platform (90) and the mobile node (10) is performed with the support of the home agent currently serving the node (notably the home agent) through appropriate extensions in the AAA protocol, designated 100 in Figure 3, and mobile in IPv6 signaling messages, designated 102 in Figure 3.

Each of the home agents 70 present on the network thereby functions independently of the others and manages its own address space. Consequently, the mobile node 10 modifies its own local address after each home agent change. Survival of application sessions is ensured by providing a transitional period during which the mobile node 10 can simultaneously use the old and the new home addresses, so that the applications started before the start of the power reassignment process without interruption. 11

By operating in this way, by increasing the complexity of the mobile node 10, it must be able to simultaneously communicate with the old and the new (server) and with the new home agent (designated), and it is not necessary to provide any information exchange for the coordination of the domestic agents, being present in the network. An increase in capacity of the system will be scaled and a reduction of complementary signaling information is thus obtained. The mobile protocol ΙΡνβ (ΜΙΡνβ) is the solution, proposed within the IEFT (Internet Engineering Task Force), to manage the wide range mobility between IPv6 networks [ref. rfc3775]. The respective protocol allows a mobile node 10 to be used to access a network from different positions, retaining a unique identity, and to dynamically change the attachment point, while keeping the existing connections active.

As already stated, the protocol manages the mobility of the mobile node by introducing: - two different addresses ΙΡνβ for each mobile node, namely home address and care address, and - an agent, designated as home agent (HA).

Of the two different addresses: (i) the first one, namely the local address (HoA), is an address assigned by the provider with the service assigned to the user; this address never changes (at least for the duration of the entire working session) and is used to uniquely identify the identity of the mobile node; Ii) the second, namely the care address (CoA), is an address belonging to the visited network, dynamically obtained through the mobile node through the self-configuration ΙΡνβ [ref. rfc2462]. This address locates the current mobile node position and therefore changes with each movement of the mobile node itself. The home agent resides in the network of the provider with which the registered user subscribed the service (the " home network " call) and its task is to re-address the traffic destined for the mobile node 10 (namely the traffic directed to home address ) to the current position of the mobile node itself (namely the care address or CoA).

Although the mobile IPv6 also introduces a communication mode, designated by optimization, which provides direct communication between the mobile node 10 and the corresponding node 15, without the traffic passing through the home agent 50, the location of the local agent 50 is particularly important for the proper functioning of the protocol and for the performances experienced by the mobile node.

In fact, the round trip time (RTT) between the mobile node 10 and the home agent 50 and hence its distance greatly affects the transfer latency, namely the time interval during which, thereafter to a transfer, the mobile node is not able to receive and send packets.

In addition, if the communication between the mobile node 10 and the corresponding node 15 occurs in the bidirectional tunnel mode (for example, if the corresponding node 15 does not support the extensions provided by the IPv6 mobile), all home traffic data must pass through of the home agent 13 and therefore the position of the latter depending on the position of the mobile node 10 strongly affects the wait for transfer to which the traffic data is subjected. The arrangement described herein allows to assign to the mobile terminal, after it has been connected, a home agent that is capable of providing optimum performance, namely a home agent that is as close as possible in terms of the number of IP changes, the point of attachment of the handset. This can be achieved by using some of the provisions available in the literature to dynamically configure the mobile IPv6 terminals after their entry into the network, such as, for example, the arrangement described in [ref. draft-giaretta-mip6-authorization-eap-00].

When, due to its continuous movement, the mobile node moves away from its own home agent (serving as a home agent) and undergoes a decrease in the performances of the mobile IPv6 protocol, the arrangement described here allows to assign to the mobile node a new home agent ( household agent) that is capable of providing better performance than the former (serving as a household agent).

All without causing any disruption due to the applications and in a process carried out under the control of the supplier with which the user subscribed the service (domestic supplier), which has to authorize the change of domestic agent. Figure 4 shows the general overview and architectural elements upon which the proposed layout depends. 14

In particular, the following are emphasized: an authentication server, authorization and accounting 110 of the home mobile node (namely the AAA server of the provider with which the user subscribed the service). On the server 110, corresponding substantially to the platform indicated as 90 in Figure 3, there is a module whose function is to authorize, control and monitor the process of reassigning the home agent, which sends configuration and information commands to the mobile node 10 and for the home appliances 70 which are present in the network; - a home server agent 120, namely the home agent serving the mobile node 10. In the home agent 120, there is a module that interacts with the authentication, authorization and accounting server 110 and acts as an intermediary for communications with the mobile node 10;

One designated home agent 130, namely the home agent designated to serve the mobile node 10. In the home agent 130 resides a module that is capable of receiving the authentication, authorization and accounting server 110, the configuration information for use of the mobile IPv6 service by authorized users (eg local address, cryptographic material, privileges granted); A mobile node 10, namely the mobile node on which a module resides, which interacts with the authentication, authorization and accounting server 110 through the home server 120 and ensures the survival of application sessions during the re process -attribution of the domestic agent. The mechanism by which the migration of the home service agent 120 to the designated home agent 130 is managed is based on the following technical opinion. The mobile node 10 claims to support the change of the home agent without impact on the current communications (notably in an " unnoticed " mode) in the connection of update messages it sends to its own home agent using one of the reserved bits provided in [ref . rfc3775, pages 39-41]: the home agent 120 and the server 110 are then able to recognize which mobile nodes are able to complete the procedure. The procedure may be initiated either from the mobile node 10, or from the home server agent 120, or from the home provider's AAA server 110.

In the first two cases, the process is in any case authorized by the AAA server of the home provider 110.

In particular: (i) the mobile node can request the start of a home redistribution agent if it detects the existence of a home agent that could guarantee better performance (for example the discovery of a home agent in its own connection through the router 16 reception of an advertising message with bit Η = 1 [ref. 3775, pages 61-62]); ii) that the household agent 120 can activate the procedure in case of overload; (iii) the authentication, authorization and accounting server 110 may give rise to a re-assignment process of the home agent, in order to provide the mobile node 10 with a home agent 130 which allows better performance, usually characterized by a shorter distance in terms of IP hops from the mobile node 10: in order to be able to do so, the authentication, authorization and accounting server 110 keeps track of all the home agents that are present in the network, of the mobile nodes which of each of them is being supplied to the server and the position of the mobile nodes themselves. The communication of new configuration parameters to the mobile node 10 (namely the designated home agent address, the new local address and related security associations) is obtained by the definition of new mobility options [ref. rfc3775, pp. 46-47] within Binding and Binding Reconfiguration (BA) messages: this approach has the advantage of releasing the start of the re-authentication event real-time agent . The communication with the mobile node 10 can occur completely asynchronously (in particular, it can be started at any time). Survival of application sessions is guaranteed by the introduction of a mechanism for managing addresses that is similar to what is provided for " stateless self-configuration " IPv6 network procedure [ref. rfc2462]: Each local address is associated with a state that indicates whether the address can be used to initiate new communications or whether it can be used only for the purpose of existing communications.

Regardless of which node activates the procedure, there is provided a mechanism by which the mobile node 10 communicates with the network 30 which supports the process of re-assigning home agent and in particular the change of home agent without impact communications. In fact, the procedure for the proposed provision provides that, for a certain period, the mobile node 10 simultaneously uses two home addresses and then two local agents (120 and 130); this in particular implies that the mobile node 10 initiates and maintains two security IPsec associations with two different nodes.

It may happen, therefore, that not all mobile nodes are configured to support this new functionality. In addition, a terminal (for example PDA) may be unable to support the process because it has a limited processing capacity or a reduced memory space.

For this reason, each mobile node that supports the home agent reassignment process communicates this capability of the same to the network, for example, setting a bit to 1 on the update message link (designated R bit with 600 in Figure 13) who sends it to its own domestic agent; thus, the home server agent 120 always knows that mobile nodes are capable of switching home agents without this having an impact on current communications. This information, if necessary, is sent by the home agent 120 to the authentication, authorization, and accounting server 110.

As previously noted, the process of re-assigning the home agent may be initiated through the mobile node. The mobile node can request the start of the procedure when it receives a routed advertisement message (RA) with the H bit set to 1: this means that in the connection where it is, there is no home agent. The authentication, authorization and accounting server may decide to authorize, or not authorize, the request from the mobile node 10, depending on the user's current network status and service profile.

In case the request is authorized, the entire procedure is described in Figure 5: in a step 200 the mobile node 10 receives an advertisement router with the H bit set to 1, and decides to initiate a home agent re-assignment procedure; In a step 202, the mobile node 10 sends a connection update (BM) message to its home server agent 120, in which a new mobility option, HA-relocation-hints-mobility-option, is added. This option is a home agent reassignment request and contains: a) the address of the home agent who sent the forwarding ad; B) the address that the mobile node 10 configured on the visited connection and which could be the new local address; - in step 204 the home agent processes the connection update message as set forth in [ref. rfc3775, pages 88-92]; in the case of a ha-relocation-hints-mobility-option being present, the local agent sends to the authentication, authorization and accounting server 110 a home agent request message for re-placing comprising the following AVP attributes ( Attribute Pair Value): a) User-Name-AVP containing the network access identifier of the user requesting the activation procedure. The network access identifier is the identifier used by the user during authentication; in general it is of type user @ tipdomain. The home agent 120 knows the network access identifier of the mobile node that has to start the home agent reassignment process, since it shares an IPsec security association with it [ref. draft-giaretta-mip6-authorization-eap-00, page 19]; b) Serving-Home-Address-AVP containing the local address currently assigned to the mobile node; c) designated-home-agent-address-AVP and designated-home-address-AVP, respectively, containing the home agent address and the new local address (HoA) suggested by the mobile node in the previous ha-relocation- mobility-option; in a step 206 the authentication, authorization and accounting server 110 verifies whether the mobile node 10 is authorized to carry out the re-assignment process of the home agent; if the answer is yes, it selects a designated home agent 130, possibly the one indicated by the mobile node 10 (the information provided by the mobile node in HA-relocation-hints-mobility-option is interpreted as a simple suggestion, which means that the authentication, authorization and accounting server 110 may assign to the mobile node 10 a designated home agent and a designated local address other than those required), and dynamically con figure in a step 208 (for example, using the procedure defined in [ ref-draft-giaretta-mip6-authorization-eap-00]). At the end of this communication, the designated home agent 130 assigned the resources necessary to manage the mobile node 10; - when the communication between the server 110 and the home agent designated by 130 is terminated, in a step 210, the server 110 sends a home responder response response message to the home server agent 120 where it inserts the following AVP attributes : a) user-name-AVP containing the network access identifier of the mobile node 10; b) designated-home-agent-address-AVP containing the address of the designated home agent 130 reserved for the mobile node 10; c) designated-home-address-AVP containing the new local address of the mobile node 10; D) authorization-lifetime-AVP containing the lifetime, possibly equal to infinity, of the previous local address (serving local address). This value represents the remaining time during which the mobile node 10 can go, for example, serving the home agent together with the so-called home agent, to ensure the survival of application sessions, which were already active before starting the reassignment of the domestic agent. In other words, this time of life shows how long the process of re-assigning the domestic agent has to be completely complete; the home server agent 120 receives this information and in a step 212 communicates it to the mobile node 10, including the HA-relocation-data-mobility-option in the link acknowledgment (BA) message. This option shows whether the process has been successful through the code field and contains the lifetime of the previous local address, the address designated by the home agent, and the new local address; the mobile node 10 receives this information and in a step 214 negotiates an IPsec security association with the designated home agent 130. Then, the mobile node 10 may register itself with the designated home agent 130 in the connection update via connection and acknowledgment messages respectively designated by references 216 and 218 in Figure 5. In this transient period, the mobile node 10 communicates through simultaneous use of the local address server and designated local address. 22

Communications between the authentication, authorization and accounting server and the designated home agent may be performed as defined in references [ref. draft-giaretta-mip6-authorization-eap-00, pp. 9-12].

As established in [ref. rfc3775, pages 18-19], the mobile node 10 and the designated home agent 130 must share an IPsec security association 214 to protect IPv6 mobile signaling traffic.

Preferably, contrary to what has been described in [ref. the authentication, authorization and accounting server 110 does not send to the mobile node 10 with a pre-shared key (PSK) for the initialization program of such a security association IPsec over Internet Key Exchange (IKE) [ref. rfc2409]. 0 " secret " shared to establish the security association can in fact be derived from the authentication procedure, and in particular from the cryptographic material exported by the AEP (Extensible Authentication Protocol) method employed. This assumes that the mobile node uses the EAP protocol [ref. rfc3748] to access the network and that the authentication, authorization and accounting server can securely communicate to the designated home agent PSK: an example of how this communication can happen is described in [ref. draft-giaretta-mip6-authorization-eap-00, pages 11-12]. 23

In case the request for re-assignment of home agent from the mobile node 10 is prohibited, the entire procedure is described in Figure 6: - in a step 220 the mobile node 10 receives an advertisement router with the H bit set to 1, and decides to initiate a domestic agent reassignment procedure; - in a step 222, the mobile node 10 sends a link update (BU) message to its home server agent 120, in which a new mobility option, HA-relocation-hints-mobility-option; - in step 224 the home agent 120 processes the connection update message as set forth in [ref. rfc3775, pages 88-92]; in a step 226 the authentication, authorization and accounting server 110 decides not to authorize the request; in a step 228, the authentication, authorization and accounting server 110 responds to the message size of the home agent of request replacement from the home agent 120 by sending a resuit-code-AVP home agent reply message with a Diameter equal to DIAMETER_AUTHORISATION_REJECTED [ref. rfc3588] ;; - in a step 230 in turn the home agent server 120 communicates with the mobile node 10 the procedure failure through an HA-relocation-data-mobility-option option containing the FAIL value in the code field. The re-assignment process of the home agent can be requested and initiated also by the home server agent; in particular the home server agent can request the start of the procedure for a mobile node in case it is beginning to be overloaded and consequently has difficulties in managing all mobile nodes registered with it. Figure 7 shows the procedure flow in case of request originating from the home server agent that has been regularly authorized by the authentication, authorization and accounting server. The steps comprising the process are as follows: that the home server agent 120 in a step 240 experiences a trigger, which initiates the procedure: as has been said, the most significant case is the case of overloading the home agent; the home server agent 120 activates, in a step 242, the home agent reassignment process, by sending to the authentication, authorization and accounting server 110 a request HA reorder request message containing the access identifier to the network of the mobile node that you would like to stop serving and the corresponding local address. The mobile node is selected from those that support the reassignment process of the home agent, namely among those who have sent a link update with the R bit equal to 1; Authentication, Authorization and Accounting Server 110 verifies in a step 244 that the home server agent is authorized to initiate the process of reassigning home agent to the selected mobile node. If the answer is affirmative, the server 25 110 chooses, through an appropriate algorithm, a designated home agent 130 for that mobile node; - in step 246 the server 110 negotiates with the designated home agent 130 the IPv6 mobile service and the corresponding resources to be assigned. This can be accomplished using, for example, the procedure described in [draft-giaretta-mip6-authorization-eap-00]; - in a step 248, once the resource assignment process has been completed in the designated home agent 130, the server 110 sends to the home agent 120 HA a replacement of the response message in which the following AVP attributes are inserted: a) user -name-AVP containing the network access identifier of the mobile node 10; b) designated-home-agent-address-AVP with the designated home agent address; c) designated-home-address-AVP with the new local address; d) authorisation-lifetime-AVP containing the lifetime of the previous local address; - as soon as the local server agent 120 receives, in a step 250, a connection update message between the user (in order to expedite the process, the local agent can send a connection update request message, BRR, requesting the mobile node 10 to immediately send a new connection update), it responds in a step 252 with a confirmation message containing an HA-relocation-data-mobility-option connection. Such an option contains the lifetime of the previous local address, the designated local address, and the new local address (namely the configuration data provided by the server 110 in the previous reply HA reply message). Also in this case, the PSK circuit for the IPsec security association between the mobile node and the local agent is derived from EAP; At that time, in a step 254, the mobile node 10 starts an IPsec security association with the so-called home agent and performs the mobile IPv6 registration with it (namely the transmission of connection update messages and connection acknowledgment respectively designated by References 256 and 258 in Figure 7).

Also in this case the authentication, authorization and accounting server 110 may decide not to authorize the process of re-assignment of the requested home agent by what serves as home agent; this is done by sending to the home agent a response message from the home agent responder response with result-code-avp equal to DIAMETER_AUTHORIZATION_REJECTED. Figure 8 shows the re-assignment procedure of the home agent in the case of being initiated by the authentication, authorization and accounting server 110.

At least according to experiments hitherto conducted by the applicant, this case is probably the most significant among those disclosed. The authentication, authorization and accounting server 110 typically detects during a re-authentication procedure that the mobile node is far away in terms of IP leaps from the home agent and would therefore benefit from the assignment of a new domestic agent Information about the position of the mobile node can be easily obtained from the IP address of the network access server, from which the user performed the re-authentication procedure. The process comprises the following steps: In a step 260, the server 110 selects an appropriate designated home agent 130, and allocates the resources following, for example, the approach described in [ref. draft-giaretta-mip6-authorization-eap-00]; - once the server 110 in a step 262 has configured the designated home agent 130 it sends, in a step 264 a HA activation request requesting di- ameter to the home server agent 120 by inserting the following AVP attributes: a) user- name-AVP containing the user's network access identifier; b) serving-home-address-AVP containing the home address currently assigned to the mobile node; c) designated-home-agent-address-AVP containing the address of the designated home agent; d) designated-home-address-AVP containing the new local address assigned to the mobile node 10; e) authorization-lifetime-AVP containing the lifetime, possibly equal to infinity, of the previous local address (local server address); In a step 266 the home server agent 120 immediately sends a connection update request (BRR) message to the mobile node 10 in order to request the transmission of a connection update. The transmission of the BRR allows to avoid problems of time-out communication between home server agent 120 and server 110, since otherwise it is not possible to provide a determining mode at the time when the next update will be received from the mobile node 10; - after having received, in a step 268, the connection update between the mobile node 10 that has to carry out the re-assignment process home agent, on the connection acknowledgment, step 270, the home server agent 120 inserts a HA-relocation-data-mobility-option containing the lifetime of the previous local address, the address designated by the home agent and the new local address; - in step 272 the home agent 120 responds to the server 110 with a home agent activation response message, in which it is pointed out that the mobile node 10 has the information received to complete the procedure; - then the mobile node 10 may negotiate the IPsec security association with the designated home agent 130, step 274, and perform the mobile IPv6 registration with it, steps 276 and 278.

As previously indicated, the mobile node communicates with the home agent, by coupling updating messages, the home agent re-assignment process and the mobility options defined herein are sustained. This information arrives at the home server agent and not at the authentication, authorization, and accounting server: for this reason, the authentication, authorization, and accounting server can initiate a process of re-assigning home agent to a mobile node , which in practice does not support such functionality. 29

In such a case, in a step 280 in Figure 9, the home server agent 120 becomes aware that the mobile node 10 does not support the requested function. In a step 282 the home agent 120 communicates with the server 110 that the process can not be performed through a result activation code response message HA with result-code-AVP equal to DIAMETER_UNABLE_TO_COMPLY.

Based on the previously defined procedure, following the exchange with the local server agent for the connection reconnaissance update and the messages containing the new mobility option and consequent registration with the so-called home agent, the mobile node has two local addresses, associated with one or more household agents. The way in which the mobile node manages the simultaneous presence of these two registers and the criteria on which it completely erases the home agent record will now be described.

In this context, it is desirable that the process of re-assigning the home agent has no influence on the outgoing communications being conducted.

For example, if the mobile node, as soon as the registry with 0 designated the home agent terminated, performed with the deletion of the registry with the home server agent, the possible sessions in progress would not remain active since they were identified by the local address related to that server's home agent (namely with the local address). The proposed approach in the arrangement described herein is similar to that used in IPv6 networks for a stateless host configuration [ref. 2462]. The arrangement described herein inserts a state machine that regulates the use of a local address and, in particular, points out whether the local address can only be used for already active communications or also to initiate new communications.

The states that can be assumed by a local address are: - a first state, here called preferred local address: is an address for which there is no use restriction for higher levels. This implies that such addresses can be used to initiate new communications; in the process described herein, local address is in the preferred state, since when it is transferred to the mobile node until the process of re-assigning the home agent is completed by assigning a new local address (called a local address) ; - a second state, here called rejected local address: is an address whose use is allowed only for communications already activated; therefore, can not be used to initiate new communications. The local address goes from preferred state to the rejected state when the reassignment process of the home agent is completed and the mobile node has registered with the designated home agent; and - a third state, here called an invalid local address: an address in this state can not be used by the mobile node for either new communications or existing communications. The local address goes from the rejected state to the invalid state when the mobile node has finished all communications previously activated with that address; to prevent a local address from remaining in the rejected state for too long (for example, in the case of communications with a very long duration), an address can be changed to an invalid state even after a period of time has elapsed authentication, authorization, and accounting in authorisation-lifetime-AVP). It should be noted that, at the end of this time-out, it must in any case be characterized by a fairly high value, with the possible communications attached to that address being stopped.

In order to ensure the correct operation of the process, it is important that the authentication, authorization and accounting server 110 learn when the process itself is completed: in particular, it is necessary to provide that the authentication, authorization and accounting 110 is informed about when the mobile node is registered with the designated home agent and when it deletes its registration in the home agent. This information is made available to the authentication, authorization and accounting server 110 for two reasons: - they are used as confirmation of the correct operation of the procedure, in such a way that the authentication, authorization and accounting server 110 32 knows always the local agent that is what a particular mobile node serves; they may be used by the authentication, authorization and accounting server 110 to decide whether to authorize a new home agent in the re-assignment process; for example, authentication, authorization and accounting server 110 may decide not to authorize a mobile node, or serve as a home agent request in case the mobile node itself has not yet completed a previous re-assignment of the home agent. The proposed layout causes the information that they receive to the authentication, authorization and accounting server 110 using the diameter accounting messages; the process consists of the steps used in Figure 10: in a step 300 the mobile node 10 sends a link update message to the so-called home agent 130; in step 302 the designated home agent 130 responds to the mobile node 10 with a acknowledgment link; - after the mobile node 10 has registered with the designated home agent 130, in a step 304 the designated home agent 130 sends to an server 110 an accounting message to confirm that the boot message has occurred the registration; from this message the server 110 understands that the mobile node 10 has begun the current process of re-assigning the home agent and that the mobile node itself is registered with two different home agents (namely the home server agent and the home agent designated); 33 - in the period designated 306, it happens that the mobile node 10 simultaneously uses the home server agent 120 and the designated home agent 130; - in step 308, the mobile node 10 sends to the home agent 120 a lifetime link update message of zero, so as to explicitly erase its own register, and in a step 310 which receives the corresponding acknowledgment message binding. Alternatively, the mobile node 10 may leave its own register with which the home server agent 120 expires by itself, stopping periodically to confirm its validity by sending connection update messages to the home server agent 120; - after the status related to the mobile node 10 has been removed, in a step 312, the home server agent 120 sends to the authentication, authorization and accounting server 110 an accounting stop diameter message, as occurs to any network access server. The server 110 understands from this message that the mobile node is no longer registered in the server home agent 120 and therefore the re-assignment process of the home agent is fully terminated.

As stated in the references [ref. rfc3775, pages 18-19] it is necessary for the mobile node and the local agent to establish an IPsec security association, for example, by using the Internet Key Exchange [ref. rfc2409] before exchanging any connection updates or confirmation messages. 34

Differently from what is described in references [ref. in the proposed provision is provided that the previously shared key required for the Internet Key Exchange connection is not explicitly sent to the mobile node but is derived from the mobile node , itself, based on the EAP key hierarchy. The procedure for calculating and using such a key is described hereinafter.

At the end of the communication ΕΑΡ, the mobile node 10 and the authentication, authorization and accounting server 110 share two keys derived from a particular authentication method to be used: they are the master session key (MSK) and the extended master session key (EMSK) [ref. draft-ietf-eap-keying-03, pages 13-17]. This last key can, in turn, be used to derive other keys, defined as the master session key (AMSK) application, which are directly used by the applications [ref. draft-ietf-eap-keying-03, pages 13-17]; in particular, it is possible to derive a specific master session key for the mobile ΙΡνβ application that can be used as PSK in IKE phase 1.

Such a key is derived from the EMSK both through the mobile node 10 and the authentication, authorization and accounting server 110; the latter must then report it to the home agent. Such communication can be performed through the diameter protocol, for example with the approach defined in [ref. draft-giaretta-mip6-authorization-eap-00].

A possible function to derive from an EMSK an AMSK for mobile ΙΡνβ is as follows: 35 - KDF (K, L, D, 0) = ΤΙ I T2 I 13 I T4 I ... - TI = prf (K, SI 0 x 01) - T2 = prf (K, ΤΙ ISI 0 x 02) - T3 = prf (K, T2 ISI 0 x 03) where - prf = HMAC-SHA1

- K = EMSK - L = marker key = " key ΜΙΡνβ " - D = application data = home agent address - O = outputlength (2 bytes)

- S = L I " \ 0 " I D I O

Hereinafter is described a procedure that can be used by the authentication, authorization and accounting server 110 to choose the designated home agent 130 to be assigned to the mobile node during the home agent reassignment process. The approach is based on the division of the access operator's network into different zones, each characterized by the presence of one or more home agents, as shown in Figure 11. The mobile node 10 that can be found in zone 400 is usually managed by the domestic agent 410 corresponding to that zone; following a movement involving a zone change, 420 or 440, the network must decide whether the affected areas are far enough away to justify the start of a re-assignment of the household agent.

In addition to the areas where the access network is divided, it may be useful to define one or more roaming or roaming zones 460 comprising the home agents 470 dedicated to managing the users who are roaming in the networks of other providers 480. Figure 11 shows such home agents 470 as placed within the network structure at interconnection points 490 with other networks.

To manage the reassignment procedures of the home agent through this approach, the server 110, possibly referring to a centralized database 500 (e.g., an LDAP database), preferably maintains the following data structures:

Table Area: in this table, the authentication, authorization and accounting server 110 maintains the list of zones in which the access network has been divided and the possible roaming zones; - Server network access table: In this table, the authentication, authorization and accounting server 110 maintains the identifier of each network access server 510 that is present on the network (for example, the router, access point) and a list of information linked to it, including, in particular, the IP address and the zone to which it belongs; - Domestic agent table: an identifier is maintained for each household agent (for example IP addresses, network access identifier) along with other information, both on the node characteristics (type, maximum capacity, etc.) and level of the current node (namely the number of users served, which can be updated depending on the accounting information). Further, in this context, the authentication, authorization, and accounting server 110 maintains the information about the zone served by each home agent. From the information contained in these data structures, the authentication, authorization and accounting server 110 is able, in a timely manner, to know the zone in which a particular mobile node can be found, the zone to which its home agent and the global network situation. This information, however, may not be sufficient to decide when it is appropriate, or even necessary, to carry out the re-assignment process of the domestic agent; for this purpose a metric is determined that allows to provide an indication of the distance between the zones and depending on such metrics the when to start the procedure.

An example static metric for the network of Figure 11 and for its use in order to make a final decision about performing the procedure is shown in Figure 12. The table rows represent possible zones (400, 420, 440, 460) which relate to the home agent, whereas, the columns similarly represent the zones in which the mobile node can be found during its movement. Each box contains a value that represents the distance that separates the associated zone from the zone associated with the column. With reference to this table, the authentication, authorization and accounting server 110 may at any time obtain the metrics associated with the distance between the zone to which they relate and wherein the home agent for the zone to which the corresponding mobile node can be found. Depending on the value of this metric, the server 110 can decide whether or not to start the home agent reassignment process. 38

As an example, it is possible to assume a metric of three levels (1, 2 and 3) having the following meanings: -l = the process of re-assignment of the domestic agent is not necessary (namely the zone that the domestic agent matches with the zone in which the mobile node can be found, or, in any case, the two zones are very close in terms of number of IP jumps); -2 = the home agent reassignment process is optional (namely the zone with respect to the home server agent does not match the zone in which the mobile node can be found, but in any case the two zones are not spaced sufficient to make it strictly necessary to use the domestic agent reassignment process); -3 = the process of re-assignment of domestic agent is mandatory (namely the zone with respect to the domestic server agent is so far from the zone in which the mobile node can be observed in that the resort to the re-assignment procedure household agent is strongly recommended).

An alternative arrangement provides a dynamic update of the metrics depending on the instantaneous network load, which can be assessed by the estimated round trip time (RTT) between the different home and RTT agents between the mobile nodes, which are present in each zone, and the corresponding household agents.

The format of the mobility options and AVP attributes (attribute value pair) are then included. Figure 13 shows the link update message format, where bit 600 is highlighted, defined by the arrangement described herein: bit 600 (R) is set to at least 1 mobile node that supports the re-assignment process of the domestic agent. Figure 14 shows the format of a generic mobility option, as specified in [ref. rfc3775, pages 46-47]; as it can be seen, is a TLV format (type, length, value) with the presence of the type fields 610, length 620 and data 630. Figure 15 shows the home-agent-relocation-data-mobility-option. The fields defined are as follows: field 640 (code): shows the result of the procedure. This field can assume the following values: i) 0 = success ii) 128 = field 642 failed (reserved): the field reserved for future uses; - field 644 (lifetime): this field highlights the value in units of four seconds of the lifetime of the local address currently reserved for the mobile node (local address related to which the home server agent, namely the local address) . This value can also be infinite; - field 646 (local address): it contains the new local address allocated to the user (namely the designated home address); - Field 648 (home agent address): contains the designated home agent address. Figure 16 shows the format of the home-agent-relocation-hints-mobility-option.

It may be noted that it shows the local address 646 and home agent address fields 648 already entered for the home-agent-relocation-data-mobility-option. These fields can contain a null value in case the mobile node requests a home agent reassignment process without having received any router advertisement with bit Η = I.

The diameter messages used in the proposed arrangement here are as follows:

Request for replacement of domestic agent. This message is sent by the home server agent to the authentication, authorization, and accounting server to request the commencement of the home agent reassignment process; contains the following AVP attributes: - User-name-AVP; - Serving-home-address-AVP; - Designated-home-address-AVP (optional);

designated-home-agent-address-AVP (optional). - Domestic agent replacement response. This message is sent to the authentication, authorization and accounting server serving as home agent to communicate new configuration parameters that have to be delivered to the mobile node as part of the home agent reassignment process; contains the following AVP attributes: 41 - user-name-AVP; - designated-home-address-AVP; - designated-home-agent-address-AVP; - authorisation-lifetime-AVP. - Request for activation of replacement of domestic agent. This message is sent by the authentication, authorization and accounting server in case it is proposed to the house serving a process of re-assigning home agent to a particular mobile node; it contains the following AVP attributes: - user-name-AVP; - serving-home-address-AVP; - designated-home-address-AVP; - designated-home-agent-address-AVP; - Authorization-Lifetime-AVP.

Home Agent Replacement Activation Response. This message is sent by the home server agent to communicate to the authentication, authorization, and accounting server that the mobile node has been advised of the need to perform the home agent reassignment process; contains the following AVP attributes: - user-name-AVP; - result-AVP.

The AVP attributes used and / or defined in this document are as follows (the description is based on conventions and data types specified in [ref. Rfc3588]): 42 - user-name-AVP (AVP code 1). This AVP contains the user-name of the user expressed in the form of a network access identifier. The AVP is of type UTF8String. - serving-home-address-AVP. The AVP data field of this AVP is IPAddress type and contains the local address related to the home server agent. - designated-home-address-AVP. The AVP data field of this AVP is IPAddress type and contains the local address related to the designated home agent. - designated-home-agent-address-AVP. The AVP data field of this AVP is IPAddress type and contains the designated home agent address. - Authorization-lifetime-AVP (AVP code 291). This AVP is of type Unsigned32; the value contained in the AVP data field represents the lifetime in seconds of the authorization to use the services for a given user. In the case of the re-assignment process home agent, this value indicates the remaining period of time during which the mobile node can proceed using the home server agent in conjunction with the designated home agent to ensure the survival of application sessions , which were already active before the commencement of the domestic agent reassignment process. The described home agent reassignment process has been detailed taking into account a particular scenario characterized in this way: the mobile authentication node to authorize access to the network is performed through a PAD method (eg EAP-43 SIM, EAP -AKA) that is capable of exporting keys that can be used by other applications; - movements of the mobile node between different IP subnets that are managed through the mobile ΙΡνβ protocol, which guarantees the survival of application sessions through mobility events; - signaling messages exchanged between the mobile node and the local agent are protected (including authentication, integrity and confidentiality) through an IPsec security association; - the IPsec security association between the mobile node and the local agent is dynamically established through the IKE protocol; - communication between the authentication, authorization and accounting server and the home agents, which are present in the network (namely, the home server agent and the designated home agent) is carried out through the diameter protocol. The procedure of the described arrangement, however, can be extended, for example and without limitation, to situations in which: - the mobile authentication node is performed by methods other than EAP, but in any case able to generate ( cryptographic material that can be used by other applications (for example mobile IP); - Mobile node movements are managed using the mobile IPv4 protocol [ref. rfc3344], or other mobility management protocols, based on similar architectural principles; The signaling messages exchanged between the mobile node and the local agent are protected through a mechanism that is different from IPsec (for example, the arrangement described in [ref. Draft-ietf-mip6-auth-protocol-00] ), but, in any case, based on the existence of a shared secret (for example, the previously shared key) between the mobile node and the local agent - The IPsec security association between the mobile node and the local agent ) is dynamically established through the IKEv2 protocol [ref draft-ietf-ipsec-ikev2-15], or other mechanisms that allow the realization of the IPsec initialization program of a security association from a shared secret (eg the key previously shared); - communication between the authorization and accounting authentication server and the home agent (home server agent and designated home agent) is performed using any other protocol that is capable of managing the transport of genetic information content (RADIUS, SNMP , etc.).

Accordingly, without departing from the principle of the invention, the construction parts and the embodiments may vary, even greatly, from what is described and illustrated, merely as a non-limiting example of possible embodiments of the invention, without so that we depart from the scope of the invention as defined by the following claims. 14-03-2011 45

Claims (34)

Method for providing communication services to at least one mobile terminal (10) in a communications network (30) comprising a plurality of home agents (70), wherein said mobile terminal (10) which is at least one uses at least one address to be served by a home agent (70) identified within said plurality and said services are provided to said mobile terminal (10) which is at least one within work sessions, the method comprising the steps of : - providing, in said communication network (30), an authentication, authorization and accounting (AAA) platform (90), - selecting through said AAA platform (90) while at least one mobile terminal (10) is provided by a first home agent (120) in said plurality, a second home agent (130) adapted to serve said mobile terminal which is at least unitary, and providing said services to at least one mobile terminal (10) from said first home agent (120) to said second home agent (130), from said re-locating step comprising sending from said first platform AAA (90) for at least said mobile terminal (10) through said home agent (120) configuration information that is adapted for said mobile terminal that is at least unitary (10) for accessing said services through said second home agent (130). 1 A method according to claim 1, characterized in that it comprises the step of sending from the AAA platform (90) to said second home agent (130) configuration information which is adapted to configure said second home agent (130 ) to enable delivery of said services to at least one said mobile terminal (10). Method according to claim 1, characterized in that it comprises the step of re-allocating the provision of said communication services to said at least one mobile terminal (10) from a first home agent (120) to a second home agent (130) of said plurality (70), the redistribution being initiated by said at least one mobile terminal (10). A method according to claim 1, characterized in that it comprises the step of re-allocating the provision of said communication services to said at least one mobile terminal (10) from a first home agent (120) to a (130) of said plurality (70), the replacement being initiated by said first household agent (120). A method according to claim 1, characterized in that it comprises the step of re-allocating the provision of said communication services to said at least one mobile terminal (10) from a first home agent (120) to a second home agent (130) of said plurality (70), the redistribution being initiated by said AAA platform (90). A method according to claim 3 or claim 4, characterized in that said assignment is subject to an approval message of said AAA platform (90). A method according to claim 1, characterized in that the method comprises the step of re-allocating the provision of said communication services to said at least one mobile terminal (10) from a first home agent (120 ) to a second home agent (130) of said plurality (70) ensuring the survival of application sessions in progress. A method according to claim 1, characterized in that it comprises the step of re-allocating the provision of the communication services to said at least one mobile terminal (10) from a first home agent (120) to a (130) of said plurality (70) when at least one condition occurs in the group consisting of: - said at least one mobile terminal (10) detecting that said second home agent (130) is adapted to provide the (120) - said first home agent (120) detects the occurrence of an overload situation, and - said AAA platform (90) detects that said second home agent The home agent (130) is adapted to provide to said at least one mobile terminal (10) said communication services with better performance relative to the to said first household agent (120). 3 A method according to claim 2, characterized in that said configuration information sent to said second home agent (130) comprises parameters selected from the group consisting of: - an identifier of said at least one mobile terminal (10) , - a new address assigned to said at least one mobile terminal (10) for communication with said second home agent (130), and - the parameters necessary for activating a security association that can be used in communications between the said at least one mobile terminal (10) and the second home agent (130). A method according to claim 1, characterized in that said configuration information sent to said at least one mobile terminal (10) through said first home agent (120) comprises parameters selected from the group consisting of: - address of said second home agent (130), - a new address assigned to said at least one mobile terminal (10) for communications with said second home agent (130), and - the lifetime, possibly equal to infinity, of the address used by said at least one mobile terminal (10) for communications with said first home agent (120). A method according to claim 7, characterized in that, in order to ensure the survival of said four current application sessions, it provides the step of highlighting through a status function the fact that said address used by said (10) for communicating with said first home agent (120) is adapted to be used to initiate new communications and / or only to terminate existing communications. Method according to claim 11, characterized in that it comprises the step of assigning to said status function, at least one value chosen in the group consisting of: a first value, identifying that said address can be used to initiate new communications a second value, identifying that such address may be used only for existing communications, and - a third value, indicating that this address can not be used for either new communications or for existing communications. A method according to claim 12, characterized in that it comprises the steps of: - when said status function has said first value, allocates to said at least one mobile terminal (10) a new address for communication with the said second home agent (130) by switching said status function from said first value to said second value, and - switching said status function from said second value to said third value when said at least one mobile terminal (10) has terminated all communications previously activated, depending on the address used for communications with said first home agent (120). A method according to claim 13, characterized in that it comprises the step of forcing the passage of said state function from said second value to said third value when a time interval has elapsed. A method according to claim 2, characterized in that it comprises the step of establishing a security association (214) for protecting communications between said at least one mobile terminal (10) and said second home agent (130) by means of the steps of: - sending, from said AAA platform (90) to said second home agent (130), at least one secret for establishing said security association, and - deducing said secret from at least a mobile terminal (10) from the authentication procedure performed with said AAA platform (90). A method according to claim 1, characterized in that it comprises the step of configuring said network as a network in which the mobility terminal is managed with the mobile IP protocol. 6 A system for providing communication services to at least one mobile terminal (10) in a communications network (30) comprising a plurality of home agents (70), wherein said at least one mobile terminal (10) uses at least an address to be served by a home agent (70) identified from said plurality, said services being provided to said at least one mobile terminal (10) within work sessions, the system being characterized in that it comprises an authentication platform (90), said AAA platform (90) being configured to: - select, while said at least one mobile terminal (10) is served by the first home agent (120) in said plurality, a second (130) adapted to serve said at least one mobile terminal, and re-locating the provision of said services to said at least one mobile terminal (10) ap (120) for said second home agent (130) by sending to said at least one mobile terminal (10) through said first home agent (120) configuration information which is adapted to configure said first home agent at least one mobile terminal (10) for accessing said services through said second home agent (130). A system according to claim 17, characterized in that said AAA platform (90) is configured to send to said second home agent (130) configuration information that is adapted to configure said second home agent (130) for enabling the provision of said services to at least one mobile terminal (10). 7 A system according to claim 17, characterized in that it comprises a first home agent (120) and a second home agent (130) of said plurality (70), with the provision of said communication services for said at least one (10) to be re-assigned from said first (120) and said second (130) home agent, the replacement being adapted to be initiated by said at least one mobile terminal (10). A system according to claim 17, characterized in that it comprises a first home agent (120) and a second home agent (130) of said plurality (70), providing said communication services to said at least one terminal (10) to be re-assigned from said first (120) and said second (130) home agent, the replacement being adapted to be initiated by said first home agent (120). A system according to claim 17, characterized in that it comprises a first home agent (120) and a second home agent (130) of said plurality (70), the provision of said communication services to said at least one (10) capable of being reassigned from said first (120) and said second (130) home agent, the replacement being adapted to be initiated by said AAA platform (90). A system according to claim 19 or claim 20, characterized in that said re-assignment is subject to an approval message of said AAA platform (90). 8 A system according to claim 17, characterized in that it comprises a first home agent (120) and a second home agent (130) of said plurality (70), the provision of said communication services to said at least one (10) capable of being re-assigned from said first (120) and said second (130) home agent to ensure the survival of on-going application sessions. System according to claim 17, characterized in that it comprises a first home agent (120) and a second home agent (130) of said plurality (70), the provision of said communication services for said at least one a mobile terminal (10) capable of being reassigned from said first (120) and said second home agent (130) at the occurrence of at least one condition selected from the group consisting of: - said at least one mobile terminal (10) detecting that said second home agent (130) is adapted to provide said best-performing communication services with respect to said first home agent (120), - said first home agent (120) detects the occurrence of a (90) detects that said second home agent (130) is adapted to provide said at least one (10) said communication services having the best performances relative to said first home agent (120). A system according to claim 18, characterized in that said configuration information sent to said second home agent (130) comprises parameters selected from the group consisting of: - an identifier of said at least one mobile terminal (10); ), - a new address assigned to said at least one mobile terminal (10) for communications with said second home agent (130), and - the parameters necessary for activating a security association that can be used in communications between the said at least one mobile terminal (10) and said second home agent (130). A system according to claim 17, characterized in that said configuration information sent to said at least one mobile terminal (10) through said first home agent (120) comprises parameters selected from the group consisting of: - address of said second home agent (130) - a new address assigned to said at least one mobile terminal (10) for communications with said second home agent (130), and - the lifetime, possibly equal to infinity, of the address used by said at least one mobile terminal (10) for communicating with said first home agent (120). A system according to claim 23, characterized in that, in order to ensure the survival of the current application sessions, comprises, associated with the address used for communications between said at least one mobile terminal (10) and said first (120), a status function indicating that said address is adapted to be used to initiate new communications and / or to terminate existing communications. A system according to claim 27, characterized in that said state function is adapted to assume at least one value chosen in the group consisting of: a first value, identifying that said address can be used to initiate new communications a second value , identifying that this address may be used only for existing communications, and - a third value, indicating that this address can not be used for new communications or for existing communications. System according to claim 28, characterized in that the system is configured to: - when said status function has said first value, to assign to said at least one mobile terminal (10) a new address for communicating with said second home agent (130) by switching said status function from said first value to said second value, and - switching said status function of said second value to said third value when said at least one mobile terminal (10) has terminated all communications previously activated, depending on the address used for communications with said first home agent (120). A system according to claim 29, characterized in that the system is configured to force the passage of said status function from said second value to said third value when a time interval has elapsed. A system according to claim 18, characterized in that the system is configured to establish a security association (214) for protecting communications between said at least one mobile terminal (10) and said second home agent (130), the system comprising said AAA platform (90) configured to send to said second home agent (130) at least one secret for establishing said security association, and for deriving said secret from said at least one (10) from the authentication procedure performed with said AAA platform (90). A communications network comprising a plurality of home agents (70) for providing communication services to at least one mobile terminal (10), wherein said at least one mobile terminal (10) is served by a home agent (70). ) identified within said plurality and said services are provided to said at least one mobile terminal (10) within working sessions, characterized in that it comprises a system according to any one of claims 17 to 31. Communication network according to claim 32, characterized in that said network is a network in which the mobility of the terminal is managed with mobile IP protocol. A computer program product adapted to be loaded into the memory of at least one electronic computer and comprising software code portions for performing the method according to any one of claims 1 to 16.